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3. Le present rapport contient des indications relatives aux points suivants: 

I S Base du rapport 
Priorite 
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I. Base du rapport 

1 . Ce rapport a 6te redige sur la base des elements ci-apres (les feuilles de rempfacement qui ont ete remises £ 
i'office recepteur en reponse a une invitation faite conformement a I'article 14 sont considerees dans ie present 
rapport comme "initialement d£posees" et ne sont pas jointes en annexe au rapport puisqu'eiles ne contiennent 
pas de modifications (regies 70. 16et 70. 17).) : 

Description, pages: 

1-23 version initiate 

Revendications, N°: 

1-32 regue(s) le 09/03/2001 avec la lettre du 05/03/2001 

Dessins, feuilles: 

1/5-5/5 version initiate 

2. En ce qui concerne la langue, tous les elements indiques ci-dessus etaient a la disposition de ('administration ou 
lui ont ete remis dans la langue dans laquelle la demande internationale a ete deposee, sauf indication contraire 
donnee sous ce point. 

Ces elements etaient a la disposition de ('administration ou lui ont ete remis dans la langue suivante: , qui est : 

□ la langue d'une traduction remise aux fins de la recherche internationale (selon la regie 23.1 (b)). 

□ la langue de publication de la demande internationale (selon la regie 48.3(b)). 

□ la langue de la traduction remise aux fins de I'examen preliminaire internationale (selon la regie 55.2 ou 



3. En ce qui concerne les sequences de nucleotides ou d'acide amines divulguees dans la demande 
internationale (le cas echeant), I'examen preliminaire internationale a ete effectue sur la base du listage des 
sequences : 

□ contenu dans la demande internationale, sous forme ecrite. 

□ depose avec la demande internationale, sous forme dechiffrable par ordinateur. 

□ remis ulterieurement a ('administration, sous forme ecrite. 

□ remis ulterieurement a 1'administration, sous forme dechiffrable par ordinateur. 

□ La declaration, selon laquelle le listage des sequences par ecrit et fourni ulterieurement ne va pas au-del& 
de la divulgation faite dans la demande telle que deposee, a ete fournie. 

□ La declaration, selon laquelle les informations enregistrees sous dechiffrable par ordinateur sont identiques a 
celles du listages des sequences Presente par ecrit, a ete fournie, 

4. Les modifications ont entraine I'annulation : 
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□ de la description, pages : 

E3 des revendications, n 05 : 33-34 

□ des dessins, feuilles : 

5. □ Le present rapport a 6te formula abstraction faite (de certaines) des modifications, qui ont ete considerees 
comme allant au-dela de I'expose de I'invention tel qu'il a ete depose, comme il est indique ci-apres (r6gle 
70.2(c)) : 

(Toute feuille de remplacement comportant des modifications de cette nature doit etre indiquee au point 1 et 
annexee au present rapport) 



6. Observations complementaires, le cas echeant : 



V. Declaration motivee selon I'article 35(2) quant a la nouveaute, I'activite inventive et la possibilite 
d'application industrielle; citations et explications a I'appui de cette declaration 

1. Declaration 

Nouveaute Oui : Revendications 1-32 

Non : Revendications 

Activite inventive Oui: Revendications 1-32 

Non : Revendications 

Possibilite d'application industrielle Oui : Revendications 1-32 

Non : Revendications 



2. Citations et explications 
voir feuille separee 
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Concernant le point V 

1 L'objet de la revendication 1 semble etre nouveau et inventif. 

La revendication 1 definit un procede de surveillance du deroulement de 
I'execution d'une suite lineaire d'instructions d'un programme. 

L'etat de la technique le plus proche cite dans la description decrit des precedes 
de test essayant d'eviter une action malveillante provenant du deroulement errone 
du programme. Des actions malveillantes sont, par exemple, la divulgation de 
donnees secretes enregistrees sur une carte a puce ou la manipulation de telles 
donnees. Ces procedes changent dans un environnement de test la valeur du 
compteur destruction avec les techniques de modification des calculs ou de 
sondage. Le compteur destruction modifie provoque un deroulement inattendu 
du programme. Si aucun de ces deroulements inattendus du programme ne 
cause des actions malveillantes, le deroulement du programme remplit les 
exigences de securite et sera approuve. 

L'etat de la technique le plus proche cite par le demandeur utilise la technique de 
tester quelques valeurs erronees du compteur destruction pour decider si le 
deroulement du programme ne provient d'une action malveillante. II n'est pas 
possible de tester toutes les valeurs erronees du compteur destruction. Par 
consequent, ces procedes de test ne peuvent pas prouver que le deroulement du 
programme ne provient d'aucune action malveillante. 

Le procede defini dans la revendication 1 n'utilise pas la technique de test mais 
au contraire verifie que la suite lineaire destructions d'un programme est 
executee de fa?on lineaire. La verification comprend I'extractioa d'une donnee de 
chaque instruction, un calcul predetermine sur chaque donnee ainsi extraite et 
une comparaison du resultat du calcul avec une donnee de reference 
predeterminee. Par consequent, le procede defini dans la revendication 1 
assure que le deroulement du programme ne provient d'aucune action 
malveillante. 
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Aucun des deux documents cites dans le rapport de recherche internationale ne 
decrit une verification de I'execution d'une suite lineaire d'instructions comme 
defini dans la revendication 1. 

Done, I'objet de la revendication 1 est nouveau et inventif et satisfait aux 
conditions requises a I'article 33(2) et 33(3) PCT 

2 Les revendications 2-19 sont dependantes de la revendication 1 et ajoutent 
des caracteristiques supplementaires au procede inventif de la revendication 1. 
Done, I'objet des revendications 2-19 est nouveau et inventif et satisfait aux 
conditions requises a I'article 33(2) et 33(3) PCT 

3 La revendication 20 porte sur un dispositif dont les caracteristiques techniques 
sont aux etapes des precedes selon les revendications 1-19. 

Les revendications 21-32 ajoutent des caracteristiques supplementaires au 
dispositif de la revendication 20. 

Done, I'objet des revendications 20-32 est nouveau et inventif et satisfait aux 
conditions requises a I'article 33(2) et 33(3) PCT. 
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1. Precede de surveillance du deroulement de l'execution d'une suite lineaire 
d'instructions (Inst. 1 -Inst. n) d'un programme informatique, consistant a analyser la 
sequence des instructions transmises vers le processeur (4) destine a executer le 
programme surveille et a verifier le resultat de cette analyse par reference a des 
donnees de reference (Vref) enregistrees avec ledit programme caracterise en ce que 
les donnees de reference comprennent une valeur (Vref) preetablie de maniere a 
coiTespondre au resultat de Tanalyse realisee lors du procede de surveillance 
seulement si toutes les instructions (Instl-Instn) de la sequence d'instructions ont 
ete efFectivement analysees lors du deroulement du programme et en ce que ladite 
analyse de la sequence d'instructions (InsLl-Instn) comprend rextraction (38) d'une 
dormee de chaque instruction transmise vers le processeur (4) et un calcul 
predetermine (40, 42) sur chaque donnee ainsi extraite, et en ce que la verification 
comprend une comparaison (50) du resultat de l'analyse avec les donnees de 
reference (Vref). 

2. Procede selon la revendication 1, caracterise en ce que ladite verification 
du resultat de l'analyse est provoquee par une instruction (Inst.n+1) placee a un 
emplacement predetermine dans le programme a surveiller, cette instruction 
contenant les donnees de reference (Vref) relatives a un ensemble destructions 
(Inst.l-Inst.n) dont Texecution correcte est a surveiller. 

3. Procede selon Tune quelconque des revendications 1 a 2, caracterise en ce 
que, lorsque les instructions (Inst.l-InsLn) de Tensemble d'instructions a surveiller se 
presentent sous la forme d'une valeur, par exemple des codes enregistres sous forme 
hexadecimal ou decimal, on effectue ladite analyse des instructions en considerant 
celles-ci en tant que valeur numerique. 

4. Procede selon la revendication 1, comprenant les etapes consistant a : 

- lors de la preparation du programme a surveiller : 

- incorporer, a au moins un ooiplacement predetermine d'une sequence 
^instructions (Inst.l-Inst.n) du programme, une valeur de reference (Vref) etablie 
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selon une regie predeterminee appliquee sur des donnees identifiables dans chaque 
instruction a surveiller, et 

- lors de 1'execution du programme a surveiller: 

- obtenir (38) lesdites donnees identifiables dans chaque instruction refue en 
5 vu de son execution, 

- appliquer (40, 42) ladite regie predeterminee sur lesdites donnees 
identifiables ainsi obtenues pour etablir une valeur de. verification (VHn), et 

- verifier (50) que cette valeur de verification correspond efFectivement a la 
valeur de reference enregistree avec le programme. 

10 

5. Procede selon Tune quelconque des revendications 1 a 4, caracterise en ce 
qu'il comprend en outre une etape (56) d'interruption du deroulement du programme 
surveille si Tanalyse revele le programme surveille ne s'est pas deroule de maniere 
prevue. 

15 

6. Procede selon Time quelconque des revendications 1 a 5, caracterise en ce 
qu f il comprend en outre une etape (70) d'invalidation pour usage futur du dispositif 
comprenant le programme surveille si ladite analyse revele un nombre predetermine 
de fois que le programme surveille ne s'est pas deroule de maniere prevue. 

20 

1, Procede selon Tune quelconque des revendications 1 a 6, caracterise en ce 
l'ensemble d'instructions a surveiller ne comporte pas de sauts dans son deroulement 
prevu. 

25 8. Procede selon Tune quelconque des revendications 1 a 6, caracterise en ce 

que, lorsque le programme (Ell, EI2, EI3) ou la portion de programme a surveiller 
prevoit au moins un saut, on applique le procede de surveillance separement sur des 
ensembles d'instructions de ce programme qui ne comportent pas de sauts entre deux 
instructions successives. 

30 

9. Procede selon la revendication 8, caracterise en ce que lorsque le 
programme a surveiller comporte une instruction (Ell-j) dormant lieu a un saut 
dependant des donnees manipulees, on met en ceuvre le procede de surveillance 
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separernent pour un ensemble d'instructions (Ell) qui precede le saut, et pour au 
moins un ensemble d'instructions (EI2, EI3) qui succede a ce saut. 



10. Precede selon la revendication 9, caracterise en ce que, pour un ensemble 
d'instructions (Ell) prevoyant un saut, on integre a cet ensemble l'instruction (Ell-j) 
qui commande ce saut aux fins de l'analyse visant a obtenir la valeur de verification 
(VH) de cet ensemble d'instructions, et on verifie ainsi le boh deroulement de cet 
ensemble d'instructions avant d'executer l'instruction de saut. 

11. Precede selon Tune quelconque des revendications 1 a 10, caracterise en 
ce que Ton re-initialise l'analyse avant chaque nouvelle surveillance d'une sequence 
ou d'un ensemble (Ell, EI2, EI3) d'instructions a surveiller. 

12. Precede selon la revendication 11, caracterise en ce que la re- 
initialisation de l'analyse a chaque nouvelle surveillance consiste a effacer ou 
remplacer une valeur de verification (VH) obtenue lors d'une precedente analyse. 

13. Precede selon la revendication ITou 12, caracterise en ce que la re- 
initialisation de l'analyse de surveillance est commandee par le logiciel protege lui- 
meme. 

14. Precede selon Tune quelconque des revendications 1 a 13, caracterise en 
ce que l'analyse produit une valeur de verification (VH) obtenue en tant que derniere 
valeur d ! une suite de valeurs que Ton fait evoluer successivement avec l'analyse de 
chacune des instructions (Inst.l-Instn) analysees de Tensemble d'instructions, 
permettant ainsi de contenir un etat interne du deroulement du precede de 
surveillance et de suivre son evolution. 

15. Precede selon Tune quelconque des revendications 1 a 14, caracterise en 
ce que l'analyse consiste a calculer (40, 42), pour chaque instruction consideree 
(Inst.n) succedant a une instruction precedente (Inst.n-1), le residtat d'une operation 
sur a la fois une valeur (VHn) obtenue de Tinstruction consideree et le resultat (VHn- 
1) obtenu par la meme operation effectuee sur Tinstruction precedente. 
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16. Precede selon l*une quelconque des revendications 1 a 15, caracterise en 
ce que Tanalyse consiste a appliquer de maoiere recursive une fonction de hachage 
f(VHn-l, Vinst.n) sur des valeurs obtenues de chaque instruction surveillee, en 

5 partant d'une derniere initialisation effectuee. 

17. Precede selon Tune quelconque des revendications 1 a 15, caracterise en 
ce que 1'analyse consiste a faire evoluer une valeur de verification en effectuant un 
calcul de redondance non necessairement cryptographique sur r ensemble des codes 

10 d'operation et des adresses executees depuis la derniere initialisation effectuee. 

18. Precede selon Tune quelconque des revendications 1 a 17, caracterise en 
ce que Tanalyse consiste a obtenir une valeur de comparaison (VCn) par calcul de 
valeurs intermediaires successives au fur et a mesure que Ton obtient les donnees des 

15 instructions respectives servant pour ce calcul durant l'execution de ces instructions. 

19. Precede selon Tune quelconque des revendications 1 a 17, caracterise en 
ce que 1'analyse cornprend une etape de sauvegarde de chaque donnee necessaire 
pour la verification, obtenue a partir des instructions de Tensemble d'instructions a 

20 surveiller (Inst.l-Inst.n) au fur et a mesure qu'elles sont executees, et de n'effectuer 
un calcul de la valeur de verification (VHn) a partir de ces donnees seulement au 
moment necessaire, une fois que toutes les donnees necessaires ont ete obtenues. 



25 d'instructions (Inst.l-Inst.n) d'un programme informatique mettant en ceuvre le 
precede de surveillance selon Tune quelconque des revendications 1 a 19, caracterise 
en ce qu'il cornprend des rnoyens (22-26) pour analyser la sequence des instructions 
transmises vers le processeur (4) destine a executer le programme surveille et des 
moyens (26) pour verifier le resultat (VCn) de cette analyse par reference a des 

30 donnees de reference (Vref) enregistrees avec ledit programme. 

21. Dispositif selon la revendication 20, adapte pour mettre en oeuvre le 
precede de surveillance selon Tune quelconque des revendications 1 a 19, caracterise 



20. Dispositif de surveillance du deroulement de Texecution d'une suite 
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en ce qu'il comporte un registre (24) permettant d'enregistrer des resultats 
intermediaires (VH) dans un calcul en chaine effectue par le moyen d'analyse (26) 
pour obtenir une valeur de verification (VHn). 

5 22. Dispositif selon la revindication 21, caracterise en ce qu'il comprend des 

moyens pour permettre renregistrement d'une valeur predeterminee ou une remise a 
zero du registre (24) sous la commande d'une instruction (Inst.n+1) transmise lors de 
l'execution d f un programme a surveiller, par exemple a Toccasion d'un saut dans le 
programme. 

10 

23. Dispositif selon Tune quelconque des revendications 20 a 22, caracterise 
en ce qu ! il comporte un moyen (60) de comptabilisation du nombre de deroulements 
non-prevus du programme surveille, tel que determine par le moyen d f analyse (26), 
et des moyens pour invalider l'utilisation future du programme a surveiller si ce 

15 nombre atteint un seuil (VCseuil) predetermine. 

24. Dispositif selon Tune quelconque des revendications 20 a 23, caracterise 
en ce qu'il est integre a un dispositif programme, telle qu'une carte a puce, contenant 
ledit programme a surveiller. 



20 



25. Dispositif selon Tune quelconque des revendications 20 a 23, caracterise 
en ce qu ! il est integre un dispositif d'execution de programme (20). 



26. Dispositif d'execution de programme (20), destine a executer une suite 
25 ^instructions (Inst.l-Inst.n) d'un programme informatique, caracterise en ce qu'il 

comporte des moyens (22-26) pour analyser la sequence des instructions transmises 
pour execution et des moyens pour verifier le resultat de cette analyse par reference a 
des donnees de reference (Vref) enregistrees avec le programme a surveiller, selon 
Tune quelconque des revendications 20 a 23. 

30 

27. Dispositif d'execution de programme (20) selon la revendication 26, 
adapte pour mettre en oeuvre le procede selon Tune quelconque des revendications 1 
a21. 
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28. Dispositif programme comportant une suite destructions enregistrees 
(Inst.l-Inst.n), caracterise en ce qu'il comporte en outre une memoire fixe contenant 
des donnees de reference (Vref) preetablies en fonction de donnees contenues dans 
5 lesdites instructions et destinees a permettre une verification de la sequence des 
instructions analysees selon Tune quelconque des revendications 1 a 21, ledit 
dispositif etant destine a cooperer avec un dispositif de surveillance selon Tune 
quelconque des revendications 20 a 27. 

10 29. Dispositif selon la revendication 28, caracterise en ce qu'il se presente 

sous forme de carte a puce. 

30. Dispositif selon la revendication 30 ou 31, caracterise en ce que les 
donnees de reference (Vref) sont enregistrees sous la forme de valeur(s) pre-cablee(s) 
15 fixee(s) en memoire. 



20 



3 1 . Dispositif de programmation d'un dispositif destine a etre programme 
selon Tune quelconque des revendications 28 a v 30, caracterise en ce qu f il comprend 
des moyens pour inscrire a au moins un emplacement predetermine d'une sequence 
^instructions du programme (Inst.l-Inst.n) une valeur de reference (Vref) calculee 
selon un mode preetabli a partir de donnees comprises dans chaque instruction d f un 
ensemble ^instructions dont on souhaite surveiller Texecution. 



25 



32. Machine virtuelle ou interpreteur interpretant un code critique, 
caracterise en ce qu T il met en oeuvre le precede selon Time quelconque des 
revendications 1 a 19 pour Texecution de ce code critique. 
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| [ the international application as originally filed 
the description: 

pages 1~23 

pages 

pages 



, as originally filed 
, filed with the demand 



, filed with the letter of 



the claims: 

pages 

pages 

pages 

pages 



, as originally filed 

, as amended (together with any statement under Article 19 

, filed with the demand 
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filed with the letter of 
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the drawings: 

pages 

pages 

pages 



1/5-5/5 



, as originally filed 
, filed with the demand 



filed with the letter of 



| | the sequence listing part of the description: 

pages 

pages 

pages __ 



, as originally filed 

_ , filed with the demand 



, filed with the letter of 



2. With regard to the language, all the elements marked above were available or furnished to this Authority in the language in which 
the international application was filed, unless otherwise indicated under this item. 

These elements were available or furnished to this Authority in the following language which is: 

| | the language of a translation furnished for the purposes of international search (under Rule 23. 1 (b)). 
| | the language of publication of the international application (under Rule 48.3(b)). 

| | the language of the translation furnished for the purposes of international preliminary examination (under Rule 55.2 and/ 
or 55.3). 

With regard to any nucleotide and/or amino acid sequence disclosed in the international application, the international 
preliminary examination was carried out on the basis of the sequence listing: 

| | contained in the international application in written form. 

filed together with the international application in computer readable form. 

furnished subsequently to this Authority in written form. 

furnished subsequently to this Authority in computer readable form. 

The statement that the subsequently furnished written sequence listing does not go beyond the disclosure in the 
international application as filed has been furnished. 

The statement that the information recorded in computer readable form is identical to the written sequence listing has 
been furnished. 

The amendments have resulted in the cancellation of: 

I | the description, pages 

PK) the claims, Nos. 33-34 

1 | the drawings, sheets/fig 



□ 
□ 
□ 
□ 

□ 



□ This report has been established as if (some of) the amendments had not been made, since they have been considered to go 
beyond the disclosure as filed, as indicated in the Supplemental Box (Rule 70.2(c)).** 

* Replacement sheets which have been furnished to the receiving Office in response to an invitation under Article 14 are referred to 
in this report as "originally filed" and are not annexed to this report since they do not contain amendments (Rule 70.16 
and 70.17). 

**Any replacement sheet containing such amendments must be referred to under item 1 and annexed to this report. 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



1 . Statement 








Novelty (N) 


CI aims 


1-32 


YES 


Claims 




NO 


Inventive step (IS) 


Claims 


1-32 


YES 


Claims 




NO 


Industrial applicability (IA) 


Claims 


1-32 


YES 


Claims 




NO 



2. Citations and explanations 



1 The subject matter of Claim 1 appears to be novel 

and inventive. 

Claim 1 defines a method for monitoring the flow of 
execution of a linear series of program 
instructions. 



The closest prior art, which is mentioned in the 
description, describes test methods aimed at 
avoiding unauthorised actions resulting from 
incorrect running of the program. Unauthorised 
actions are, for example, the disclosure of 
confidential data recorded in an electronic card or 
tampering with such data. In a test environment, 
these methods alter the value of the instruction 
counter using calculation modification or probing 
techniques. The altered instruction counter causes 
the program to run in an unexpected manner. If none 
of the events occurring during the unexpected 
running of the program causes an unauthorised 
action, then the running of the program meets the 
security requirements and is approved. 
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The closest prior art cited by the applicant uses 
the method whereby a plurality of erroneous values 
of the instruction counter are tested in order to 
ascertain whether the running of the program is the 
result of an unauthorised action. It is not possible 
to test all of the erroneous values of the 
instruction counter. Consequently, these test 
methods cannot prove that the running of the program 
does not result from any unauthorised action . 

The method defined in Claim 1 does not use the 
testing technique, but instead verifies that the 
linear series of instructions of a program has been 
executed in a linear manner. This verification 
involves extracting a data item from each 
instruction, performing a predetermined calculation 
on each data item thus extracted and comparing the 
result of the calculation with a predetermined 
reference data item. Consequently, the method 
defined in Claim 1 ensures that the running of the 
program does not result from any unauthorised 
action . 

Neither of the two documents cited in the 
international search report describes the 
verification of the execution of a linear series of 
instructions as defined in Claim 1. 

The subject matter of Claim 1 is therefore novel and 
inventive and satisfies the requirements of PCT 
Article 33(2) and (3) . 

Claims 2-19 are dependent on Claim 1 and add further 
features to the inventive method of Claim 1. 
Consequently, the subject matter of Claims 2-19 is 
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novel and inventive and satisfies the requirements 
of PCT Article 33(2) and (3). 



3. Claim 20 concerns a device with technical features 

which make it suitable for carrying out the steps of 
the methods defined in Claims 1-19. 

Claims 21-32 add further features to the device of 
Claim 20. 

Consequently, the subject matter of Claims 20-32 is 
novel and inventive and satisfies the requirements 
of PCT Article 33(2) and (3). 
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CLAIMS 

1. A method for monitoring progress with the 
execution of a series of instructions ( Inst . 1-Inst . n) 
in a computer program, consisting in analysing the 
sequence of instructions transmitted to the processor 
(4) intended to execute the program being monitored and 
to verify the result of this analysis by reference to 
reference data (Vref) recorded with the said program. 

2. A method according to Claim 1, characterised 
in that the reference data comprise a value (Vref) pre- 
established so as to correspond to the result of this 
analysis produced during the monitoring method only if 
all the instructions (Inst . 1-Inst . n) in the sequence of 
instructions have actually been analysed during the 
running of the program. 

3. A method according to Claim 1 or 2, 
characterised in that the said analysis of the sequence 
of instructions ( Inst . 1-Inst . n) comprises the 
extraction (38) of a data item from each instruction 
transmitted to the processor (4) and a predetermined 
calculation (40, 42) on each data item thus extracted, 
and in that the verification comprises a comparison 
(50) of the result of the analysis with the reference 
data (Vref) . 

4 . A method according to any one of Claims 1 to 
3, characterised in that the said verification of the 
result of the analysis is caused by an instruction 
(Inst.n+1) placed at a predetermined location in the 
program to be monitored, this instruction containing 
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the reference data (Vref) relating to a set of 
instructions ( Inst . 1-Inst . n) whose correct execution is 
to be monitored. 

5. A method according to any one of Claims 1 to 
4, characterised in that, when the instructions 
(Inst. 1-Inst.n) of the set of instructions to be 

monitored are in the form of a value, for example codes 
recorded in hexadecimal or decimal form, the said 
analysis of the instructions is carried out considering 
these as a numerical value. 

6. A method according to Claim 1, comprising the 
steps consisting in: 

- during the preparation of the program to be 
monitored: 

- incorporating, at at least one 
predetermined location in a sequence of 
instructions ( Inst . 1-Inst . n) in the program, a 
reference value (Vref) established according to a 
predetermined rule applied to identifiable data in 
each instruction to be monitored, and 

during the execution of the program to be 
monitored: 

- obtaining (38) the said identifiable data 
in each instruction received with a view to its 
execution, 

- applying (40, 42) the said * predetermined 
rule to the said identifiable data thus obtained 
in order to establish a verification value (VHn) , 
and 
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verifying (50) that this verification 
value actually corresponds to the reference value 
recorded with the program. 

7. A method according to any one of Claims 1 to 

6, characterised in that it also comprises a step (56) 
of interrupting the flow of the program monitored if 
the analysis reveals that the program being monitored 
has not been run as expected. 

8. A method according to any one of Claims 1 to 

7, characterised in that it also comprises an 
invalidation step (70) for future use of the device 
comprising the monitored program if the said analysis 
reveals a predetermined number of times that the 
program being monitored has not run in the expected 
manner . 

9. A method according to any one of Claims 1 to 

8, characterised in that the set of instructions to be 
monitored does not include jumps in its expected flow. 

10. A method according to any one of Claims 1 to 
8, characterised in that, when the program (Ell, EI2, 
EI3) or the program portion to be monitored provides 
for at least one jump, the monitoring method is applied 
separately to sets of instructions in this program 
which do not include jumps between two successive 
instructions . 

11. A method according to* Claim 10, 
characterised in that, when the program to be monitored 
includes an instruction (Ell-j) giving- rise to a jump 
dependent on the manipulated data, the monitoring 
method is implemented separately for a set of 



instructions (Ell) which precedes the jump, and for at 
least one set of instructions (EI2, EI3) which follows 
this jump, 

12. A method according to Claim 11, 
characterised in that, for a set of instructions (Ell) 
providing for a jump, there is integrated in this set 
the instruction (Ell-j) which controls this jump for 
the purpose of the analysis aimed at obtaining the 
verification value (VH) for this set of instructions, 
and thus the correct running of this set of 
instructions is verified before executing the jump 
instruction . 

13. A method according to any one of Claims 1 to 
12, characterised in that the analysis is reinitialised 
before each new monitoring of a sequence or set (Ell, 
EI2, EI3) of instructions to be monitored. 

14. A method according to Claim 13, 
characterised in that the reinitialisation of the 
analysis of each new monitoring consists in erasing or 
replacing a verification value (VH) obtained during a 
previous analysis. 

15. A method according to Claim 13 or 14, 
characterised in that the reinitialisation of the 
monitoring analysis is controlled by the protected 
software itself. 

16. A method according to any one of Claims 1 to 
15, characterised in that the analysis produces a 
verification value (VH) obtained as the last value in a 
series of values which is made to change successively 
with the analysis of each of the analysed instructions 



( Inst . 1-Inst . n) of the set of instructions, thus making 
it possible to contain an internal state of the running 
of the monitoring method and to follow its changes. 

17 . A method according to any one of Claims 1 to 

16, characterised in that the analysis consists in 
calculating (40, 42), for each instruction under 
consideration (Inst.n) following on from a previous 
instruction (Inst.n-1), the result of an operation on 
both a value (VHn) obtained of the instruction in 
question and the result (VHn-1) obtained by the same 
operation performed on the previous instruction. 

18. A method, according to any one of Claims 1 to 

17, characterised in that the analysis consists in 
recursively applying a hash function f (VHn-1, Vinst.n) 
to values obtained of each monitored instruction, 
starting from a last initialisation performed.- 

19. A method according to any one of Claims 1 to 
17, characterised in that the analysis consists in 
making a verification value change by performing a 
redundancy calculation, not necessarily cryptographic, 
on all the operating codes and the addresses executed 
since the last initialisation carried out. 

20. A method according to any one of Claims 1 to 
19, characterised in that the analysis consists in 
obtaining a comparison value (VCn) by calculating 
successive intermediate values as the 1 data of the 
respective instructions serving for this calculation 
during the execution of these instructions are 
obtained.- 
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21. A method according to any one of Claims 1 to 
19, characterised in that the analysis comprises a step 
of saving each data item necessary for verification, 
obtained from instructions in the set of instructions 
to be monitored ( Inst . 1-Inst . n) as they are executed, 
and performing a calculation of the verification value 
(VHn) from these data only at the necessary time, once 
all the necessary data have been obtained. 

22. A device for monitoring progress with the 
execution of a series of instructions ( Inst . 1-Inst . n) 
of a computer program, having means (22-2 6) for 
analysing the sequence of instructions transmitted to 
the processor (4) intended to execute the program being 
monitored and means (2 6) for verifying the result (VCn) 
of this analysis by reference to reference data (Vref) 
recorded with the said program. 

23. A device according to Claim 22, adapted to 
implement the monitoring method according to any one of 
Claims 1 to 21, characterised in that it has a register 
(24) for recording intermediate results (VH) in a 
calculation in a chain carried out by the analysis 
means (26) in order to obtain a verification value 

(VHn) . 

24. A device . according to Claim 23, 
characterised in that it comprises means for allowing 
the recording of a predetermined value o v r a resetting 
of the register (24) under the control of an 
instruction (Inst.n+1) transmitted during the execution 
of a program to be monitored, for example on the 
occasion of a jump in the program. 



25. A device according to any one of Claims 22 
to 24, characterised in that it has a means (60) for 
counting the number of unexpected events in the program 
being monitored, as determined by the analysis means 
(26) , and means for invalidating the future use of the 
program to be monitored if this number reaches a 
predetermined threshold (VCthreshold) . 

26. A device according to any one of Claims 2 2 
to 25, characterised in that it is integrated into a 
programmed device, such as a smart card, containing the 
said program to be monitored. 

27. A device according to any one of Claims 22 
to 25, characterised in that it is integrated into a 
program execution device (20) . 

28. A program execution device (20) intended to 
execute a series of instructions ( Inst . 1-Inst . n) of a 
computer program, characterised in that it has means 
(22-26) for analysing the sequence of instructions 
transmitted for execution and means for verifying the 
result of this analysis by reference to reference data 
(Vref) recorded with the program to be monitored. 

29. A program execution device (20) according to 
Claim 28, adapted to implement the method according to 
any one of Claims 1 to 21. 

30. A programmed device containing a series of 
recorded instructions ( Inst . 1-Inst . n) , characterised in 
that it also contains reference data (Vref) pre- 
established as a function of data contained in the said 
instructions and intended to allow verification of the 



sequence of instructions analysed according to any one 
of Claims 1 to 21. 

31. A device according to Claim 30, 
characterised in that it is in the form of a smart 
card. 

32. A device according to Claim 30 or 31, 
characterised in that the reference data (Vref) are 
recorded in the form of a prewired value or values 
fixed in memory. 

33. A device for programming a device intended 
to be programmed according to any one of Claims 30 to 
32, characterised in that it comprises means for 
entering, at at least one predetermined location in a 
sequence of instructions in the program (Inst.l- 
Inst.n), a reference value (Vref) calculated according 
to a pre-established mode from data included in each 
instruction in a set of instructions whose execution it 
is wished to monitor. 

34 . A virtual machine or interpreter 

interpreting a critical code, characterised in that it 
implements the method according to any one of Claims 1 
to 21 for the execution of this critical code. 



